ISP培训设计对提升员工信息安全合规性的现场实验研究

A field experiment on ISP training designs for enhancing employee information security compliance

European Journal of Information Systems · 2024
被引 9
ABS 4

中文导读

通过现场实验,研究了在信息安全政策培训中加入威慑和威胁论证对员工合规行为的影响,发现能提升培训效果并维持三周。

Abstract

Information security policy (ISP) training plays an important role in enhancing organisational resilience against cyber threats by providing employees with the necessary knowledge and skills to effectively identify, prevent, and respond to security breaches. This research aims to explore how the use of deterrence arguments and threat arguments can enhance the effectiveness of ISP training. We theorise how ISP training affects employees’ ISP compliance behaviour by arguing for a transfer of training lens to study the effectiveness of ISP training. The results of our field experiment with triangulated data suggest that the effect of argumentative-enhanced ISP training is twofold. First, employees who participated in enhanced training sessions with deterrence and threat arguments demonstrated superior training outputs after the training, which, in turn, translated into a sustained training outcome three weeks after the training. Second, we also find evidence that threat arguments can reinforce the application of training outputs in the maintenance stage of learned behaviours. With this applied research study, we contribute to the research and practice by providing empirical evidence of the effectiveness of ISP training designs.

信息安全员工合规行为培训设计威慑与威胁论证